Exchange 2010 Network Port Reference

Posted: October 30, 2010 in Exchange, Exchange Network Port Reference
Tags: , , ,

@Microsoft Exchange 2010 Help File “.CHM”

Exchange Network Port Reference

Transport Servers

Exchange 2010 includes two server roles that perform message transport functionality: Hub Transport server and Edge Transport server.

The following table provides information about ports, authentication, and encryption for data paths between these transport servers and other Exchange 2010 servers and services.

Transport server data paths

Data path Required ports Default authentication Supported authentication Encryption supported? Encrypted by default?
Hub Transport server to Hub Transport server 25/TCP (SMTP) Kerberos Kerberos Yes, using Transport Layer Security (TLS) Yes
Hub Transport server to Edge Transport server 25/TCP (SMTP) Direct trust Direct trust Yes, using TLS Yes
Edge Transport server to Hub Transport server 25/TCP (SMTP) Direct trust Direct trust Yes, using TLS Yes
Edge Transport server to Edge Transport server 25/TCP SMTP Anonymous, Certificate Anonymous, Certificate Yes, using TLS Yes
Mailbox server to Hub Transport server via the Microsoft Exchange Mail Submission Service 135/TCP (RPC) NTLM. If the Hub Transport and the Mailbox server roles are on the same server, Kerberos is used. NTLM/Kerberos Yes, using RPC encryption Yes
 

Hub Transport to Mailbox server via MAPI

135/TCP (RPC) NTLM. If the Hub Transport and the Mailbox server roles are on the same server, Kerberos is used. NTLM/Kerberos Yes, using RPC encryption Yes
Unified Messaging server to Hub Transport server 25/TCP (SMTP) Kerberos Kerberos Yes, using TLS Yes
Microsoft Exchange EdgeSync service from Hub Transport server to Edge Transport server 50636/TCP (SSL) Basic Basic Yes, using LDAP over SSL (LDAPS) Yes
Active Directory access from Hub Transport server 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC netlogon) Kerberos Kerberos Yes, using Kerberos encryption Yes
Active Directory Rights Management Services (AD RMS) access from Hub Transport server 443/TCP (HTTPS) NTLM/Kerberos NTLM/Kerberos Yes, using SSL Yes*
SMTP clients to Hub Transport server (for example, end-users using Windows Live Mail) 587 (SMTP) 

25/TCP (SMTP)

NTLM/Kerberos NTLM/Kerberos Yes, using TLS Yes

Mailbox Servers

Whether NTLM or Kerberos authentication is used for Mailbox servers depends on the user or process context that the Exchange Business Logic layer consumer is running under. In this context, the consumer is any application or process that uses the Exchange Business Logic layer. As a result, many entries in the Default Authentication column of the Mailbox server data paths table are listed as NTLM/Kerberos.

The Exchange Business Logic layer is used to access and communicate with the Exchange store. The Exchange Business Logic layer is also called from the Exchange store to communicate with external applications and processes.

If the Exchange Business Logic layer consumer is running as Local System, the authentication method is always Kerberos from the consumer to the Exchange store. Kerberos is used because the consumer must be authenticated by using the Local System computer account, and a two-way authenticated trust must exist.

If the Exchange Business Logic layer consumer isn’t running as Local System, the authentication method is NTLM. For example, NTLM is used when you run an Exchange Management Shell cmdlet that uses the Exchange Business Logic layer.

The RPC traffic is always encrypted.

The following table provides information about ports, authentication, and encryption for data paths to and from Mailbox servers.

Mailbox server data paths

Data path Required ports Default authentication Supported authentication Encryption supported? Encrypted by default?
Active Directory access 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC netlogon) Kerberos Kerberos Yes, using Kerberos encryption Yes
Admin remote access (Remote Registry) 135/TCP (RPC) NTLM/Kerberos NTLM/Kerberos Yes, using IPsec No
Admin remote access (SMB/File) 445/TCP (SMB) NTLM/Kerberos NTLM/Kerberos Yes, using IPsec No
Availability Web service (Client Access to Mailbox) 135/TCP (RPC) NTLM/Kerberos NTLM/Kerberos Yes, using RPC encryption Yes
Clustering 135/TCP (RPC) See Notes on Mailbox Servers after this table. NTLM/Kerberos NTLM/Kerberos Yes, using IPsec No
Content indexing 135/TCP (RPC) NTLM/Kerberos NTLM/Kerberos Yes, using RPC encryption Yes
Log shipping 64327 (customizable) NTLM/Kerberos NTLM/Kerberos Yes No
Seeding 64327 (customizable) NTLM/Kerberos NTLM/Kerberos Yes No
Volume shadow copy service (VSS) backup Local Message Block (SMB) NTLM/Kerberos NTLM/Kerberos No No
Mailbox Assistants 135/TCP (RPC) NTLM/Kerberos NTLM/Kerberos No No
MAPI access 135/TCP (RPC) NTLM/Kerberos NTLM/Kerberos Yes, using RPC encryption Yes
Microsoft Exchange Active Directory Topology service access 135/TCP (RPC) NTLM/Kerberos NTLM/Kerberos Yes, using RPC encryption Yes
Microsoft Exchange System Attendant service legacy access (Listen to requests) 135/TCP (RPC) NTLM/Kerberos NTLM/Kerberos No No
Microsoft Exchange System Attendant service legacy access to Active Directory 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC netlogon) Kerberos Kerberos Yes, using Kerberos encryption Yes
Microsoft Exchange System Attendant service legacy access (As MAPI client) 135/TCP (RPC) NTLM/Kerberos NTLM/Kerberos Yes, using RPC encryption Yes
Offline address book (OAB) accessing Active Directory 135/TCP (RPC) Kerberos Kerberos Yes, using RPC encryption Yes
Outlook accessing OAB 80/TCP, 443/TCP (SSL) NTLM/Kerberos NTLM/Kerberos Yes, using HTTPS No
Recipient Update Service RPC access 135/TCP (RPC) Kerberos Kerberos Yes, using RPC encryption Yes
Recipient update to Active Directory 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC netlogon) Kerberos Kerberos Yes, using Kerberos encryption Yes

Client Access Servers

Unless noted, client access technologies, such as Outlook Web App, POP3, or IMAP4, are described by the authentication and encryption from the client application to the Client Access server.

The following table provides information about port, authentication, and encryption for data paths between Client Access servers and other servers and clients.

Client Access server data paths

Data path Required ports Default authentication Supported authentication Encryption supported? Encrypted by default?
Active Directory access 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC netlogon) Kerberos Kerberos Yes, using Kerberos encryption Yes
Autodiscover service 80/TCP, 443/TCP (SSL) Basic/Integrated Windows authentication (Negotiate) Basic, Digest, NTLM, Negotiate (Kerberos) Yes, using HTTPS Yes
Availability service 80/TCP, 443/TCP (SSL) NTLM/Kerberos NTLM, Kerberos Yes, using HTTPS Yes
Outlook Web App 80/TCP, 443/TCP (SSL) Forms Based Authentication Basic, Digest, Forms Based Authentication, NTLM (v2 only), Kerberos, Certificate Yes, using HTTPS Yes, using a self-signed certificate
POP3 110/TCP (TLS), 995/TCP (SSL) Basic, Kerberos Basic, Kerberos Yes, using SSL, TLS Yes
IMAP4 143/TCP (TLS), 993/TCP (SSL) Basic, Kerberos Basic, Kerberos Yes, using SSL, TLS Yes
Outlook Anywhere (formerly known as RPC over HTTP ) 80/TCP, 443/TCP (SSL) Basic Basic or NTLM Yes, using HTTPS Yes
Exchange ActiveSync application 80/TCP, 443/TCP (SSL) Basic Basic, Certificate Yes, using HTTPS Yes
Client Access server to Unified Messaging server 5060/TCP, 5061/TCP, 5062/TCP, a dynamic port By IP address By IP address Yes, using Session Initiation Protocol (SIP) over TLS Yes
Client Access server to a Mailbox server that is running an earlier version of Exchange Server 80/TCP, 443/TCP (SSL) NTLM/Kerberos Negotiate (Kerberos with fallback to NTLM or optionally Basic,) POP/IMAP plain text Yes, using IPsec No
Client Access server to Exchange 2010 Mailbox server RPC. See Notes on Client Access Servers. Kerberos NTLM/Kerberos Yes, using RPC encryption Yes
Client Access server to Client Access server (Exchange ActiveSync) 80/TCP, 443/TCP (SSL) Kerberos Kerberos, Certificate Yes, using HTTPS Yes, using a self-signed certificate
Client Access server to Client Access server (Outlook Web Access) 80/TCP, 443/TCP (HTTPS) Kerberos Kerberos Yes, using SSL Yes
Client Access server to Client Access server (Exchange Web Services) 443/TCP (HTTPS) Kerberos Kerberos Yes, using SSL Yes
Client Access server to Client Access server (POP3) 995 (SSL) Basic Basic Yes, using SSL Yes
Client Access server to Client Access server (IMAP4) 993 (SSL) Basic Basic Yes, using SSL Yes
Office Communications Server access to Client Access server (when Office Communications Server and Outlook Web App integration is enabled) 5075-5077/TCP (IN), 5061/TCP (OUT) mTLS (Required) mTLS (Required) Yes, using SSL Yes

Unified Messaging Servers

IP gateways and IP PBXs support only certificate-based authentication that uses mutual TLS for encrypting SIP traffic and IP-based authentication for Session Initiation Protocol (SIP)/TCP connections. IP gateways don’t support either NTLM or Kerberos authentication. Therefore, when you use IP-based authentication, the connecting IP address or addresses are used to provide authentication mechanism for unencrypted (TCP) connections. When IP-based authentication is used in Unified Messaging (UM), the UM server verifies that the IP address is allowed to connect. The IP address is configured on the IP gateway or IP PBX.

IP gateways and IP PBXs support mutual TLS for encrypting SIP traffic. After you successfully import and export the required trusted certificates, the IP gateway or IP PBX will request a certificate from the UM server, and then it will request a certificate from the IP gateway or IP PBX. Exchanging the trusted certificate between the IP gateway or IP PBX and the UM server enables the IP gateway or IP PBX and UM server to communicate over an encrypted connection by using mutual TLS.

The following table provides information about port, authentication, and encryption for data paths between UM servers and other servers.

Unified Messaging server data paths

Data path Required ports Default authentication Supported authentication Encryption supported? Encrypted by default?
Active Directory access 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC netlogon) Kerberos Kerberos Yes, using Kerberos encryption Yes
Unified Messaging Phone interaction (IP PBX/VoIP Gateway) 5060/TCP , 5065/TCP, 5067/TCP (unsecured), 5061/TCP, 5066/TCP, 5068/TCP (secured), a dynamic port from the range 16000-17000/TCP (control), dynamic UDP ports from the range 1024-65535/UDP (RTP) By IP address By IP address, MTLS Yes, using SIP/TLS, SRTP No
Unified Messaging Web Service 80/TCP, 443/TCP (SSL) Integrated Windows authentication (Negotiate) Basic, Digest, NTLM, Negotiate (Kerberos) Yes, using SSL Yes
Unified Messaging server to Client Access server 5075, 5076, 5077 (TCP) Integrated Windows authentication (Negotiate) Basic, Digest, NTLM, Negotiate (Kerberos) Yes, using SSL Yes
Unified Messaging server to Client Access server (Play on Phone) Dynamic RPC NTLM/Kerberos NTLM/Kerberos Yes, using RPC encryption Yes
Unified Messaging server to Hub Transport server 25/TCP (TLS) Kerberos Kerberos Yes, using TLS Yes
Unified Messaging server to Mailbox server 135/TCP (RPC) NTLM/Kerberos NTLM/Kerberos Yes, using RPC encryption Yes

Windows Firewall Rules Created by Exchange 2010 Setup

Windows Firewall with Advanced Security is a stateful, host-based firewall that filters inbound and outbound traffic based on firewall rules. Exchange 2010 Setup creates Windows Firewall rules to open the ports required for server and client communication on each server role. Therefore, you no longer need to use the Security Configuration Wizard (SCW) to configure these settings. To learn more about Windows Firewall with Advanced Security, see Windows Firewall with Advanced Security and IPsec.

This table lists the Windows Firewall rules created by Exchange Setup, including the ports opened on each server role. You can view these rules using the Windows Firewall with Advanced Security MMC snap-in.

Rule name Server roles Port Program
MSExchangeADTopology – RPC (TCP-In) Client Access, Hub Transport, Mailbox, Unified Messaging Dynamic RPC Bin\MSExchangeADTopologyService.exe
MSExchangeMonitoring – RPC (TCP-In) Client Access, Hub Transport, Edge Transport, Unified Messaging Dynamic RPC Bin\Microsoft.Exchange.Management.Monitoring.exe
MSExchangeServiceHost – RPC (TCP-In) All roles Dynamic RPC Bin\Microsoft.Exchange.ServiceHost.exe
MSExchangeServiceHost – RPCEPMap (TCP-In) All roles RPC-EPMap Bin\Microsoft.Exchange.Service.Host
MSExchangeRPCEPMap (GFW) (TCP-In) All roles RPC-EPMap Any
MSExchangeRPC (GFW) (TCP-In) Client Access, Hub Transport, Mailbox, Unified Messaging Dynamic RPC Any
MSExchange – IMAP4 (GFW) (TCP-In) Client Access 143, 993 (TCP) All
MSExchangeIMAP4 (TCP-In) Client Access 143, 993 (TCP) ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe
MSExchange – POP3 (FGW) (TCP-In) Client Access 110, 995 (TCP) All
MSExchange – POP3 (TCP-In) Client Access 110, 995 (TCP) ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe
MSExchange – OWA (GFW) (TCP-In) Client Access 5075, 5076, 5077 (TCP) All
MSExchangeOWAAppPool (TCP-In) Client Access 5075, 5076, 5077 (TCP) Inetsrv\w3wp.exe
MSExchangeAB-RPC (TCP-In) Client Access Dynamic RPC Bin\Microsoft.Exchange.AddressBook.Service.exe
MSExchangeAB-RPCEPMap (TCP-In) Client Access RPC-EPMap Bin\Microsoft.Exchange.AddressBook.Service.exe
MSExchangeAB-RpcHttp (TCP-In) Client Access 6002, 6004 (TCP) Bin\Microsoft.Exchange.AddressBook.Service.exe
RpcHttpLBS (TCP-In) Client Access Dynamic RPC System32\Svchost.exe
MSExchangeRPC – RPC (TCP-In) Client Access, Mailbox Dynamic RPC Bing\Microsoft.Exchange.RpcClientAccess.Service.exe
MSExchangeRPC – PRCEPMap (TCP-In) Client Access, Mailbox RPC-EPMap Bing\Microsoft.Exchange.RpcClientAccess.Service.exe
MSExchangeRPC (TCP-In) Client Access, Mailbox 6001 (TCP) Bing\Microsoft.Exchange.RpcClientAccess.Service.exe
MSExchangeMailboxReplication (GFW) (TCP-In) Client Access 808 (TCP) Any
MSExchangeMailboxReplication (TCP-In) Client Access 808 (TCP) Bin\MSExchangeMailboxReplication.exe
MSExchangeIS – RPC (TCP-In) Mailbox Dynamic RPC Bin\Store.exe
MSExchangeIS RPCEPMap (TCP-In) Mailbox RPC-EPMap Bin\Store.exe
MSExchangeIS (GFW) (TCP-In) Mailbox 6001, 6002, 6003, 6004 (TCP) Any
MSExchangeIS (TCP-In) Mailbox 6001 (TCP) Bin\Store.exe
MSExchangeMailboxAssistants – RPC (TCP-In) Mailbox Dynamic RPC Bin\MSExchangeMailboxAssistants.exe
MSExchangeMailboxAssistants – RPCEPMap (TCP-In) Mailbox RPC-EPMap Bin\MSExchangeMailboxAssistants.exe
MSExchangeMailSubmission – RPC (TCP-In) Mailbox Dynamic RPC Bin\MSExchangeMailSubmission.exe
MSExchangeMailSubmission – RPCEPMap (TCP-In) Mailbox RPC-EPMap Bin\MSExchangeMailSubmission.exe
MSExchangeMigration – RPC (TCP-In) Mailbox Dynamic RPC Bin\MSExchangeMigration.exe
MSExchangeMigration – RPCEPMap (TCP-In) Mailbox RPC-EPMap Bin\MSExchangeMigration.exe
MSExchangerepl – Log Copier (TCP-In) Mailbox 64327 (TCP) Bin\MSExchangeRepl.exe
MSExchangerepl – RPC (TCP-In) Mailbox Dynamic RPC Bin\MSExchangeRepl.exe
MSExchangerepl – RPC-EPMap (TCP-In) Mailbox RPC-EPMap Bin\MSExchangeRepl.exe
MSExchangeSearch – RPC (TCP-In) Mailbox Dynamic RPC Bin\Microsoft.Exchange.Search.ExSearch.exe
MSExchangeThrottling – RPC (TCP-In) Mailbox Dynamic RPC Bin\MSExchangeThrottling.exe
MSExchangeThrottling – RPCEPMap (TCP-In) Mailbox RPC-EPMap Bin\MSExchangeThrottling.exe
MSFTED – RPC (TCP-In) Mailbox Dynamic RPC Bin\MSFTED.exe
MSFTED – RPCEPMap (TCP-In) Mailbox RPC-EPMap Bin\MSFTED.exe
MSExchangeEdgeSync – RPC (TCP-In) Hub Transport Dynamic RPC Bin\Microsoft.Exchange.EdgeSyncSvc.exe
MSExchangeEdgeSync – RPCEPMap (TCP-In) Hub Transport RPC-EPMap Bin\Microsoft.Exchange.EdgeSyncSvc.exe
MSExchangeTransportWorker – RPC (TCP-In) Hub Transport Dynamic RPC Bin\edgetransport.exe
MSExchangeTransportWorker – RPCEPMap (TCP-In) Hub Transport RPC-EPMap Bin\edgetransport.exe
MSExchangeTransportWorker (GFW) (TCP-In) Hub Transport 25, 587 (TCP) Any
MSExchangeTransportWorker (TCP-In) Hub Transport 25, 587 (TCP) Bin\edgetransport.exe
MSExchangeTransportLogSearch – RPC (TCP-In) Hub Transport, Edge Transport, Mailbox Dynamic RPC Bin\MSExchangeTransportLogSearch.exe
MSExchangeTransportLogSearch – RPCEPMap (TCP-In) Hub Transport, Edge Transport, Mailbox RPC-EPMap Bin\MSExchangeTransportLogSearch.exe
SESWorker (GFW) (TCP-In) Unified Messaging Any Any
SESWorker (TCP-In) Unified Messaging Any UnifiedMessaging\SESWorker.exe
UMService (GFW) (TCP-In) Unified Messaging 5060, 5061 Any
UMService (TCP-In) Unified Messaging 5060, 5061 Bin\UMService.exe
UMWorkerProcess (GFW) (TCP-In) Unified Messaging 5065, 5066, 5067, 5068 Any
UMWorkerProcess (TCP-In) Unified Messaging 5065, 5066, 5067, 5068 Bin\UMWorkerProcess.exe
UMWorkerProcess – RPC (TCP-In) Unified Messaging Dynamic RPC Bin\UMWorkerProcess.exe
About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s